Netscaler Build 13.1-53.17 - Error urn:ietf:params:acme:error:connection Timeout during connect (likely firewall problem),"status":400

[Pyla5-Katy0-Vibe7]

After upgrading from 13.1-52.19 to 53.17 I can no longer get the script to work. This was the only change on our infrastructure. Tested with script versions 2.15.0 and 2.25.0.

2024-06-10 12:19:50:6409    DEBUG   [ORDERVALIDATION]   {"fqdn":"domain.com","status":"pending","expires":"2024-06-17T10:19:33Z","HTTP01Status":"pending","DNS01Status":"pending"}
2024-06-10 12:19:50:6868    DEBUG   [ORDERVALIDATION]   {"fqdn":"www.domain.com","status":"pending","expires":"2024-06-17T10:19:33Z","HTTP01Status":"pending","DNS01Status":"pending"}
2024-06-10 12:19:50:7189    DEBUG   [ORDERVALIDATION]   {"fqdn":"preprod.domain.com","status":"pending","expires":"2024-06-17T10:19:33Z","HTTP01Status":"pending","DNS01Status":"pending"}
2024-06-10 12:19:50:7499    DEBUG   [ORDERVALIDATION]   {"fqdn":"app.domain.com","status":"pending","expires":"2024-06-17T10:19:33Z","HTTP01Status":"pending","DNS01Status":"pending"}
2024-06-10 12:19:50:7818    DEBUG   [ORDERVALIDATION]   Items still pending: True
2024-06-10 12:20:01:8179    INFO    [ORDERVALIDATION]   Still 0 "pending" items left. Waiting an extra 5 seconds.
2024-06-10 12:20:01:8449    DEBUG   [ORDERVALIDATION]   Loop ended no pending items left.
2024-06-10 12:20:02:7949    DEBUG   [ORDERVALIDATION]   Listing PAOrderItems
2024-06-10 12:20:02:8209    DEBUG   [ORDERVALIDATION]   {"fqdn":"domain.com","status":"invalid","expires":"2024-06-17T10:19:33Z","HTTP01Status":"invalid","DNS01Status":null}
2024-06-10 12:20:02:8489    DEBUG   [ORDERVALIDATION]   {"fqdn":"www.domain.com","status":"invalid","expires":"2024-06-17T10:19:33Z","HTTP01Status":"invalid","DNS01Status":null}
2024-06-10 12:20:02:8859    DEBUG   [ORDERVALIDATION]   {"fqdn":"preprod.domain.com","status":"invalid","expires":"2024-06-17T10:19:33Z","HTTP01Status":"invalid","DNS01Status":null}
2024-06-10 12:20:02:9189    DEBUG   [ORDERVALIDATION]   {"fqdn":"app.domain.com","status":"invalid","expires":"2024-06-17T10:19:33Z","HTTP01Status":"invalid","DNS01Status":null}
2024-06-10 12:20:02:9599    ERROR   [ORDERVALIDATION]   Unfortunately there are invalid items. Failed Records:
2024-06-10 12:20:02:9939    DEBUG   [ORDERVALIDATION]   {"fqdn":"domain.com","status":"invalid","expires":"2024-06-17T10:19:33Z","HTTP01Status":"invalid","DNS01Status":null}
2024-06-10 12:20:03:0219    DEBUG   [ORDERVALIDATION]   {"fqdn":"www.domain.com","status":"invalid","expires":"2024-06-17T10:19:33Z","HTTP01Status":"invalid","DNS01Status":null}
2024-06-10 12:20:03:0519    DEBUG   [ORDERVALIDATION]   {"fqdn":"preprod.domain.com","status":"invalid","expires":"2024-06-17T10:19:33Z","HTTP01Status":"invalid","DNS01Status":null}
2024-06-10 12:20:03:0789    DEBUG   [ORDERVALIDATION]   {"fqdn":"app.domain.com","status":"invalid","expires":"2024-06-17T10:19:33Z","HTTP01Status":"invalid","DNS01Status":null}
2024-06-10 12:20:03:1399    ERROR   [ORDERVALIDATION]   Error: {"type":"urn:ietf:params:acme:error:connection","detail":"80.xx.xxx.xxx: Fetching http://domain.com/.well-known/acme-challenge/sUvgJXS4xG8nZPZxQovcv3Zuv6VrlP1IXY323MZBYEM: Timeout during connect (likely firewall problem)","status":400}
2024-06-10 12:20:03:1669    ERROR   [ORDERVALIDATION]   ValidationRecord: {"url":"http://domain.com/.well-known/acme-challenge/sUvgJXS4xG8nZPZxQovcv3Zuv6VrlP1IXY323MZBYEM","hostname":"domain.com","port":"80","addressesResolved":["80.xx.xxx.xxx"],"addressUsed":"80.xx.xxx.xxx"}
2024-06-10 12:20:03:2119    ERROR   [ORDERVALIDATION]   Error: {"type":"urn:ietf:params:acme:error:connection","detail":"80.xx.xxx.xxx: Fetching http://www.domain.com/.well-known/acme-challenge/6-zkSoDDkkKNW7lRhf0TOGIbQd0rYYgw_xR-mfzlrwc: Timeout during connect (likely firewall problem)","status":400}
2024-06-10 12:20:03:2369    ERROR   [ORDERVALIDATION]   ValidationRecord: {"url":"http://www.domain.com/.well-known/acme-challenge/6-zkSoDDkkKNW7lRhf0TOGIbQd0rYYgw_xR-mfzlrwc","hostname":"www.domain.com","port":"80","addressesResolved":["80.xx.xxx.xxx"],"addressUsed":"80.xx.xxx.xxx"}
2024-06-10 12:20:03:2819    ERROR   [ORDERVALIDATION]   Error: {"type":"urn:ietf:params:acme:error:connection","detail":"80.xx.xxx.xxx: Fetching http://preprod.domain.com/.well-known/acme-challenge/K0yLBwTZSoM3-1uZxDb86h5U0wxQxVSe7N-K3YqhJXM: Timeout during connect (likely firewall problem)","status":400}
2024-06-10 12:20:03:3129    ERROR   [ORDERVALIDATION]   ValidationRecord: {"url":"http://preprod.domain.com/.well-known/acme-challenge/K0yLBwTZSoM3-1uZxDb86h5U0wxQxVSe7N-K3YqhJXM","hostname":"preprod.domain.com","port":"80","addressesResolved":["80.xx.xxx.xxx"],"addressUsed":"80.xx.xxx.xxx"}
2024-06-10 12:20:03:3539    ERROR   [ORDERVALIDATION]   Error: {"type":"urn:ietf:params:acme:error:connection","detail":"80.xx.xxx.xxx: Fetching http://app.domain.com/.well-known/acme-challenge/nPr7y8t7K7T2fKwYljKVRD_VZga8vqTbrACBl5D4nZY: Timeout during connect (likely firewall problem)","status":400}
2024-06-10 12:20:03:4009    ERROR   [ORDERVALIDATION]   ValidationRecord: {"url":"http://app.domain.com/.well-known/acme-challenge/nPr7y8t7K7T2fKwYljKVRD_VZga8vqTbrACBl5D4nZY","hostname":"app.domain.com","port":"80","addressesResolved":["80.xx.xxx.xxx"],"addressUsed":"80.xx.xxx.xxx"}```

Full logs : https://github.com/user-attachments/files/15764673/GenLeCertForNS_Logs_Sanitized.txt

Any idea what could cause that ?

[Pyla5-Katy0-Vibe7]

Another test I did was to stop the script after the validation error 400. I was able to test that all the urls like http://preprod.domain.com/.well-known/acme-challenge/K0yLBwTZSoM3-1uZxDb86h5U0wxQxVSe7N-K3YqhJXM were accessible via a web browser

[j81blog]

Sorry for my late reply, was the test from the browser an internal or external test? Maybe your firewall blocks access from other countries (GEO blocks?)

[Pyla5-Katy0-Vibe7]

Sorry for my late reply, was the test from the browser an internal or external test? Maybe your firewall blocks access from other countries (GEO blocks?)

It was an internal test. In fact, we suspect that the external validation was done with an IP that was temporarily on one of our blacklists used by our firewall. After a few days, the validation was successful again.